rrweb icon indicating copy to clipboard operation
rrweb copied to clipboard

Published 20 hours ago verified publisher icon rrweb-io

Inline workers break CSP

Open piotrblasiak opened this issue 4 years ago • 4 comments

When using CSP (Content Security Policy), inline workers require the use of the script-src blob: policy which is a big no no and opens up the whole website for js injection. Would/is it be possible to load the worker scripts from hosted .js files somehow instead?

piotrblasiak avatar Nov 20 '20 09:11 piotrblasiak

This also applies to stylesheets loaded from cdn.jsdelivr.net - any way we can choose how to load them?

piotrblasiak avatar Nov 20 '20 09:11 piotrblasiak

Hi @piotrblasiak, could you provide a reproducible code for your question? I'm not sure what is the inline workers.

Yuyz0112 avatar Nov 21 '20 02:11 Yuyz0112

If you add a Content-Security-Policy header, or html tag like: <meta http-equiv="Content-Security-Policy" content="default-src 'self'"/> You should get a CSP error when trying to use rrweb. I think this is because you are loading web worker code from a blob (inline). You can read more about CSP here: https://content-security-policy.com I hope that explains it.

piotrblasiak avatar Nov 21 '20 16:11 piotrblasiak

Any updates for this problem?

cyucelen avatar Dec 20 '23 12:12 cyucelen